CVE-2026-20182

CVE-2026-20182 is a critical authentication bypass affecting the DTLS-based control-connection handshake in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The flaw exists because, when a connecting peer declares itself to be a vHub device, the system omits device-type-specific certificate verification yet still marks the peer as authenticated. An unauthenticated remote attacker can exploit this by sending a crafted DTLS handshake sequence that bypasses authentication checks and establishes a trusted control-plane peer relationship. Once authenticated, the attacker can issue arbitrary configuration commands across the SD-WAN fabric or establish persistent administrative access. CVE-2026-20224 is an XML External Entity (XXE) injection vulnerability in the web UI of Cisco Catalyst SD-WAN Manager. The vulnerability is caused by improper handling of XML External Entity entries during XML parsing. An unauthenticated remote attacker can send a crafted HTTP request to exploit this flaw and read arbitrary files stored on the underlying system, without requiring valid credentials. CVE-2026-20209 is a privilege escalation vulnerability in the web UI of Cisco Catalyst SD-WAN Manager. The vulnerability exists because sensitive session information is recorded in audit logs. An authenticated remote attacker with read-only permissions can retrieve privileged session tokens from those logs and use them to perform actions as a high-privileged user. CVE-2026-20210 is a privilege escalation vulnerability in the web UI of Cisco Catalyst SD-WAN Manager. The vulnerability is caused by a failure to redact sensitive information within device configurations and templates. An authenticated remote attacker with read-only permissions can access this exposed sensitive information and use it to elevate their privileges to those of a high-privileged user.

EPSS 83.13% · 99.3th percentile